HackerOne Reports

a site https://newsletter.nextcloud.com to have phplist 3.2.5 steps to reproduce: 1. to use firefox browser, latest version 2. go to https://newsletter.nextcloud.com/admin/?page=viewtemplate&id=123%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E 3. log in as admin 4. alert box with name of domain please, look at my poc video in attachment (has been installed phplist 3.2.5 on the localhost)

Hi, WEBrick seems to be vulnerable to a [response splitting attack](https://www.owasp.org/index.php/HTTP_Response_Splitting). The reproduction script is very similar to the code shown on the owasp page: ```ruby require 'webrick' class MyServlet < ::WEBrick::HTTPServlet::AbstractServlet def service req, res res.cookies << WEBrick::Cookie.new('author', req.query['author']) res.body = 'hello world' end end server = ::WEBrick::HTTPServer.new Port: …

https://bugs.php.net/bug.php?id=72606

I found an open JMXInvokerServlet/EJBInvokerServlet and normally I should be able to get a shell just by doing that. However I think due to some egress filtering on the box I've been having issues getting a shell to run. Invokers: https://card.starbucks.in/invoker/EJBInvokerServlet and https://card.starbucks.in/invoker/JMXInvokerServlet Command to output serialized data to a …

Upstream bug report ================ 2016-06-29 04:03 UTC https://bugs.php.net/bug.php?id=72512 Patch ===== 2016-07-19 07:47 UTC http://git.php.net/?p=php-src.git;a=commit;h=928aecc002e906b309b28f0062f03d4e5eda3e45 Fixed for PHP 5.5 (security only mode), PHP 5.6, PHP 7.0 http://php.net/ChangeLog-5.php#5.5.38 http://php.net/ChangeLog-5.php#5.6.24 http://php.net/ChangeLog-7.php#7.0.9 Description ========= gdImageTrueColorToPaletteBody doesn't check for negative transparent colors while converting the image. This leads to arbitrary null write and information leak. …

## Description The funcitonality for adding emoticons into the chat from the serverside perspective is based on a string in the following format: ``` %%%[emoticon NAME|EMOTICON_URL|WIDTH|HEIGHT|REPORT_URL]%%% ``` The `EMOTICON_URL` must conform to the following regex: ```javascript /(http|https):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/g ``` However, the `REPORT_URL` does not have any checks that verifies the URL. …

Hey, I've just found a 'full path disclosure' in basic-google-maps-placemarks, so it's not just a server configuration issue! I've tested it on different servers (including windows, ubuntu, CentOS etc..) #PoC So, if we visit `wp-content/plugins/basic-google-maps-placemarks/unit-tests.php` it is clearly disclosing the full path as you can see in the following links: …

Hi, On my previous report (number 126464) I've mentioned that analytics.twitter.com has a CSP bypass which I couldn't exploit that time. Now, I've found a reflected XSS on careers.twitter.com which again I couldn't exploit by itself. Because you have CSP, and I've combined two of them to successfully trigger XSS. …

Decription: ----- Users are shared files or folder. can disable this sharing. Detail: ------ + use request: DELETE /nextcloud/ocs/v2.php/apps/files_sharing/api/v1/shares/[share-id]?format=json HTTP/1.1 Host: [your-host] User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: [token of user is shared] OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Cookie: [cookie …

Hello, Here's the link: http://www.rockstargames.com/newswire/tags#/?tags=../../comments_dal/users/getGlobalLoginSettings.json?callback=alert%28document.domain%29// Thanks, Ben

## Summary: The following endpoints are vulnerable to reflected XSS: ``` GET /oauth/{service:[A-Za-z0-9]+}/complete GET /api/v3/oauth/{service:[A-Za-z0-9]+}/complete GET /signup/{service:[A-Za-z0-9]+}/complete GET /login/{service:[A-Za-z0-9]+}/complete ``` The vulnerability exists due to the lack of sanitizing `redirect_to` field in `state` query param [here](https://github.com/mattermost/mattermost-server/blob/c114aba628e06e726aa1b5d9f3736d1fd154594c/web/oauth.go#L287-L288). ## Steps To Reproduce: 1. Setup local mattermost instance e.g. on address [http://localhost:8065](http://localhost:8065) ([server …

**Description:** I can log into `https://███ using` `█████` as credentials ## Impact Can do anything an ██████████ can do in this application, Server Now ## Step-by-step Reproduction Instructions 1. go to `https://███████` 2. log in using `██████████` ## Suggested Mitigation/Remediation Actions use proper authentication, this might be a test account …

In Active Storage, formats treated as binary have been confirmed, It does not contain `application/mathml+xml`. https://github.com/rails/rails/commit/d40284b1a44773b03d78ca67a888b94fd330d1b1 In `Marcel::MimeType.for`, if content-type can not be determined with magic byte, since it is determined using the extension, uploading the file with `.mml` will be judged as `application/mathml+xml`. ```ruby #https://github.com/minad/mimemagic/blob/master/lib/mimemagic/tables.rb#L387 'mml' => 'application/mathml+xml', ``` …

## Summary There exists a race condition in performing retests. By executing multiple requests to confirm a retest at the same time, a malicious user is paid multiple times for the retest. This allows for stealing money from HackerOne, which could go unnoticed by both HackerOne and the attacker (me). …

Hi there i found a Padding Oracle ms10-070 in the following website: https://█████████/ In the following steps i will demonstrate how to reproduce the vulnerability. POC: 1ºGo to the following url: https://████/ you will see in the source code off the page something like "WebResource.axd?d=" webresource.jpg 2ºOpen the link and …

Hi there, I just found the website: https://help.nextcloud.com is infected with "Web cache poisoning" Abuse this bug, Attacker can: 1. Poison your cache with HTTP header with XSS included. This attack may leads to Stored XSS 2. Poison your website contains malware url (cache poisoned by attacker), maybe the user's …

Hello Shopify team! I found a post-based XSS which may be shared to other users and occurs in firefox, IE, Edge. How to reproduce: 1. at partners.shopify.com go to apps -> choose one -> more actions -> create shopify app store listing 2. you will get redirected to url with …

I have Found XSS payload avaliable at GET Request.. Live PoC URL: https://www.tradus.com/en/s/braem-used-parts/make-man+mercedes-benz+zf+other+fuller/location-belgium+netherlands+germany+poland+denmark+france+united-kingdom+spain+sweden+italy+austria+finland+norway+ukraine+russia+czechia+greece+romania+hungary+portugal+belarus+switzerland+slovakia+united-arab-emirates+bulgaria+lithuania+ireland+latvia+turkey+croatia+estonia+vietnam+bosnia-herzegovina+slovenia+india+china+andorra+iceland+macedonia+mongolia+united-states+brazil+hong-kong-sar-china+israel+serbia/pricetype-fixed+upon-request/?query=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&year_from=09&year_to=09&price_from=1234&price_to=1234 Tested with old version Firefox, where avaliable and disable XSS filter. ## Impact Impact This allows an attacker to inject custom Javascript codes that can be used to steal information from Zomato's user base and lure them …